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EXECUTIVE OFFICE OF THE PRESIDENT 
OFFICE OF MANAGEMENT AND BUDGET 
WASHINGTON. D.C. SOSOS 

September 17, 1985 

LEGISLATIVE REFERRAL MEMORANDUM 



TO: 


Department of Defense - Werner Windus (697-1305) 



General Services Administration - Ted Ebert (566-1250) 
'central Intelligence Agency 


SUBJECT: Commerce (NBS) testimony on H.R. 2889, the "Computer 
Security Research and Training Act of 1985." 


The Office of Management and Budget requests the views of your 
agency on the above subject before advising on its relationship to 
the program of the President, in accordance with Circular A-19. 

Please provide us with your views no later than 

2:30 P.M. TODAY, SEPTEMBER 17, 1985 

Direct your questions to Gregory Jones (395*3454), of this office. 



Enc losures 

cc: S. Dotson 

K. Sheid 
E. Springer 
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U.s. DEPARTMENT OF COMMERCE 

STATEMENT OF MR. JAMES M. BURRCMS 
DIRECTOR, INSTITUTE FOR COMPUTER SCIENCES AND TECHNOLOGY 
NATIONAL IUREAU OF STANDARDS 

IEFQRE THE SUSCOMMITTEE ON LEGISLATION ANO NATIONAL SECURITY 
COPMITTEE ON GOVERNMENT OPERATIONS 
U.S. HOUSE OF REPRESENTATIVES 


SEPTEMBER IS, 1986 

Ml. CHAIRMAN ANO MEMBERS OF THE COMMITTEE: 

TNtnk you for Inviting at to speak to you today and for your Interest In 
tM» critically Important subject. The need for computer tecurlty he* 
never been greeter then It It todey. The legislation thet you ere 
conilderlng, HR 2889, teke* note of the fector* thet contribute to thl* 
pressing need - the government's dependence on computers, the sceTe of 
government convuter operetlons, the widespread disperse! of personel 
computers throughout the government, end the valuable end sensitive 
Informetlon thet Is contelned In government computer systems. 

Rapidly chenglng technology end the esceletlng use of computers will 

continue to meke computer security • Mgh priority issue In the future. 

Me see thet It Is Impossible to return So menuel methods one* an organisation 
adopts automated data processing methods. To achieve efficient Information 
Interchange. «* must strive for standard. Interchangeable hardware and 
software systems. At the same time, however, w* will Increase the 
vulnerability of our systems to external and Internal threats. 

Sanitized Copy Approved for Release 2010/04/06 : CIA-RDP87M01 152R001 101350039-4 " 



Sanitized Copy Approved for Release 2010/04/06 : CIA-RDP87M01 152R001 101350039-4 

Wl?/® 202 C9: 15 0EPT CCWERCE NO. 003 001 


To prevent sarlous accidents that cripple our ability to carry eat data 
processing oporatloni and to avoid coaproalse of aonaltlvo inforaatlon, we 
mtt stlaulate an awareness for tha naod for computer aoeurlty In aanagers 
and atora of coe^uter lyttaa. This 1» tha hay alaaont In a campaign to 
l^ron eoaputer security, and tMa la tha thrust of HR MM* I btllova 
that thl* legislation addraasat claarly aatabllahad naada for coaputor 
aoeurlty raaaarch and for training tha paopla who aanage. use, and operate 

Federal governaent coaputera. 

* 

Training for coaputor aecurtty la going to be potential In toaorrow's 
confuting environment. The raporta laat week about the high level of 
peraonal eo*>uter uae In Fadaral agencies highlight the urgency of thla 
need, laaulng dlractlvea ta laprove aoeurlty will not be enough. 

Structured, orgaM*** ayttaaatlc training opportunities will be a aust 
If the Federal governaent aapeeta to exploit the uae of advanced technology 
for etaff productivity and reduced coata of governaent. 

* t 

• » , 

The legislation calls for the Rational Bureau of Standards (MS) to develop 

technical procedures and practices, and guidelines for use in tracing. 

• • 

Many guides end reports that MBS has developed are already available for 
use In training prograas. However,^ ordp to 
the coaputor security prob^ It will be necessary to expand 
. the kinds of aaterlals IMtM develops} and to develop aaterlals suitable 
for widely different needs. Coaputor security awareness prograas oust 
be available not only for the aanagers and esers of autoaated Inforaatlon 
systeas, but also for other agency personnel such as Internal auditors. 
Inspectors General personnel, end budget analysts end aanagers. This 
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will be essential to on a bit corrective actions to bo proposod owl 
l^lmaented for information Ufitwi development, operation, and modification. 

That* awareness program and tho renewed emphasis on computer security 
will also heighten the demand for timely products from NBS: Further, as 
now usos are made of computers and as new users become familiar with 
eoa^uter capabilities, now weaknesses will be exposed. Therefore, 
continuing attention to research and the development of effective 
preventive techniques will be needed. 

The Institute for Computer Sciences and Technology at the National Sureau 
of Standards Is currently carrying out IVMNN program of research In 
computer security areas. This program was started In 1*72 as a component 
of our responsibilities tinder P.L. 89-306, the pioneering legislation 
authored by Chairman Brooks to Improve the efficient and effective use 
of computers In the Federal government. Nesponslblllty for developing 
coa^uter security standards and guidelines Is also specifically assigned 
to the Department of Commerce under 0H6 Circulars, and has been delegated 
to NBS. 

I 

The problems that we are addressing are broad In scope and Include many 
different hssards — for example, physical damage to computers, accidents, 
destruction of data, theft of data and software, programming and data 
errors, omissions, and abuse of computing resources. While breaking Into 
systwm and computer crime are serious Incidents, they are just one aspect 
of the problem. We are also concerned about the losses that result from 
processing Incorrect data, from Interruptions to data processing, and 
from laek of controls to prevent misuse of computers by authorised personnel, 
a -vast amount of unclassified, but sensitive. Information must be protected. 

-3- 
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This Includes personal , proprietory, end other Information protected 
under the Privacy and Freedom of Information Acta. 

ICST'a program la targettod to throe principal objectives: concutar Integrity, 
this omens the ability to prevent or detect unauthorlied actions by 
syttmss or onauthorlied modification of computer Information; confidentiality, 
tin ability to prevent enauthorlxod disclosure of Information; and yfval lability . 
the ability to assure that processing resources are ready and waiting 
when needed. Failure to achieve these objectives In Federal government 
confuting operations could result In undesirable events ranging from 
threats to national security to denial of beneftte to cltlians, loss of 
government money and resources, husan Injury, or Iwss of life. 

Under our legislative charter and policy directives, we develop management 
guides, test methods, performance measures, technical Information and 
advice, guidelines, and standards. In developing our products and services 
we pay particular attention to the problems of Federal computer users and 
to the development of cost effective security methods that are appropriate 
to the Information and systams to be protected. He also emphasise good 
preventive techniques because It Is more cost effective to avoid costly 
errors and accidents then to recoup after an expensive mistake. Me have 
found that State and local governments, business, and Industry users have 
problems similar to the Federal government's end that our technical 
products are used by the private sector as 'well es by the public sector. 

They are frequently used as the basis for training and education programs 
such as those conducted by the Small luslness Administration and the 
Office of Personnel Management. 
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In the ini of computer security and Mtk management, ai wall a* In other 
program araat. we work closely with users In large and wall organisation! 
to loarn about their experience! and their noad! for technical and management 
solution! to their computer utilisation problem. Because we are a snail 
organisation, we believe that the best way to achieve change Is to work 
through bhe organisations. We sponsor, and participate In, conferences, 
workshops, and nestings to share Intonation and to keep users and Industry 
Interned of our activities, as well as to learn what others are doing. 

We respond to requests for advice and consultation, we participate In 
training seminars to the extent that we can, and we provide direct technical 
assistance to Federal agencies on a reimbursable basis for United number 
of projects that are related to our program. 

I want to emphasize especially our work with the Department of Oefense 
and especially the D0D Computer Security Center. D0D has conducted 
extensive research In the development of security technology for national 
defense applications. Wa are continually evaluating the applicability 
of 000's research activities to the civilian side of government and the 
private sector, so that we can transfer appropriate technology to the 

t 

users who need it. Suest workers from D00 are working with ICST staff, and 
we maintain close staff contact on technical Issues. Wa will be hosting 
the seventh Joint workshop on computer security with D0D later this 
month. The workshops have bean well attended by both government and 
Industry participants. 

We have cooperated with the Beneral Accounting Office In their reviews 
and evaluation of agency computer security and have provided briefings 

and seminars on computer security to many Federal and State government 

0 
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organisations. No also participate 1* meetings sponsored by business 
and industry organisations to loam whet they oro doing and to ■aka 
thalr good practices available to government users. Groups that we work 
«dtb Include EDP auditors, computer security professionals. Internal 
auditors, universities, bankers, lawyers, and caaputer user groups. 

As a result of our Interactions with those groups, we are In a position 
to analyse user experiences and to Identify best practices based on 
currently available technology, da have published a variety of reports, 
dociasants, guides, and studies conveying what wa have learned, and we 
recoamend sources of Inforeetlon and assistance. Through our contacts 
at many levels and with many organisations, we try to leverage our products 
so they reach a wide audience, for example, we are a clearinghouse of 
Information that we nave collected on computer security training 
opportunities, reading lists, and computer security services. This 
Information Is available electronically on a computer-based bulletin board. 

de cooperate with business and Industry to develop national and International 
consensus standards for couputers and networks, de can do this effectively 
because of our knowledge of user and Industry needs for standards and the 
position of trust that we have as objective participants In the standards 
process. Our goal Is to stimulate the development of off-the-shelf 
coswierclal products that will expand choices, provide for Interoperability 
of components and systems, and broaden opportunities for applications of 
new technology. 


lie are working with voluntary standards development groups sponsored by 
the American national Standards Institute, Institute of Electrical and 
Electronics Engineers, the International Organliatlon for Standardliatlon, 
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tM toerlcan Bankers Association, and other national and International 
groups. Be also partlclpstt with the National Communications Systems and 
the Beneral Services Administration to develop Federal Standards for 
tel ecosmunl cations. 

toother Important collaborative effort Is our work with the Department of 
the Treasury to develop a policy to assure the Integrity of electronic 
fund transfers. Last year Treasury Issued a directive requiring the use 
of a voluntary standard for Financial Institution Message Authentication, 
to protect the billions of dollars that are transferred electronically 
every day. 1CST was a major contributor to the standard, and to other 
voluntary standards developed for the private sector banking community. 

The Treasury directive require* that all of Its bureaus' IFT transactions 
be authentlceted using yriata Encryption techniques. Authentication Is a 
process of coding and decoding significant phrases In a message to essure 
that It has been sent by en authorized party and has not been tampered 
with during transmission. ICST staff has been working with the voluntary 
standards comminlty to draft a standard for protecting the secret keys 
that are used In coding and decoding messages. Automated key management 
techniques that ware developed and patented by ICST staff are specified 
In this standard. Available on e license-free basis to organizations 
that want to use them, these techniques are being' implemented In ICST's 
laboratory to help organizations test their products for compliance with 
the standard. A list of certified message authentication devices and 
techniques will be developed by Treasury with ICST and National Security 
Agency asslstence. 
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ICST is working 1 a conjunction with the national Security Agency (NSA) 

In developing proposed standards for data Integrity and security In 
distributed computer networks. These efforts will focus on methods of 
securing data comaunl cat Ions using data encryption techniques In a network 
of microcomputers. C oue w rclally available software, protocols, and 
equipment will be used wherever possible. The network and primary security 
features will be unclassified, but will be designed to support more 
stringent security requirements for special applications. 

Security of personal computers Is currently under Investigation. Me 
recently Issued a guide explaining security threats In the use of small 
computers end ways to reduce the risks, he are looking at a wld^range of 
coammrcellly available computer security devices for small systems to 
develop guidance for users on cost effective and secure equipment. 

he are participating In a Joint project with the President's Council on 
Integrity and Efficiency to develop criteria for auditors to use In 
establishing their work plena for auditing for security and controls through 
out the life cycle of an automated Information system. Specific guides 
and recommendations will be Issued through this effort. 

Security must be an Integral part of overall systems planning. Therefore, 
we must be concerned about security In all of our technical activities, 
and we must address all aspects of computer system development end operations 
This Includes software systems, networks, storage media, and other hardware 
coi*onents. The weak link can appear anywhere In a complex system, and a 
coi^rehenslve approach Is needed to assure that strengths In one part 
of the system are not wiped out by weaknesses elsewhere. 
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to you know the bepertment of Co-wren Is on* of tho Mton of the 
totlonil Telecommunications end InfonMtlon Security Committee 

established under Motional Security OacHlon IHroetlvo 1*6, tnd wo 
ton participating In the Subcommittee on totometed Information SjntiM 
Security. A major focua 1$ tho development of definitions of aeniltlve, hut 
unclassified, government or government-derived Information tdilch hai an 
Impact on national security. 

Ma ball ova that wa can contribute to thn Implementation of MSD0 146 which 
complements, but does not tubal tuta for, our work. Ma expect to continue 
to laaua Federal Information Processing Standards for automatod Information 
prorat f 1 "g security under our current authorities. Those that are appropriate 
for Issuance under NSD0 146 will be submitted for processing under the 
procedures that are being developed by the national Telecommunications 
and Information Security Committee. For example. Federal Information 
Processing Standard 11*. Fesword Usage, It the first approved FIFS that 
will also be processed under the Directive. Its Intended use Includes . 

* 

protecting passwords In both the classified and unclassified Information 
environments. It corporates guidance developed by DOD Computer Security 
Center to use password systems In national security computer systems, 
by using the MSOO 146 mechanism for disseminating documents such as 
this, we can help to avoid duplication of efforts and achieve affective 
dissemination of cohermit, consistent Information on computer security • 
throughout the Federal government. 

I thank the Committee for Its Interest In ICST’s work, end 1 will be 
very happy to answer your questions. 
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